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new CaSe 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 


© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


Q3 


Does the draft guidance contain enough examples? 
© Yes 
—) No 

©) Unsure / don't know 

If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 
range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


Staff or ex staff DSARs requesting access to "all personal data". Unstructured data 
such as emails run into hundreds of thousands (if not millions depending on length 
of tenure) of instances. These all need to be reviewed for applicability and redacted 
as appropriate. We have also seen a significant rise in pre-litigation requests where 
the DSAR is used as a way of pre-disclosure, without the legal controls surrounding 
"disclosure" such as the right of party to request further clarification on content of 
documents. There is no opportunity to do so in the DSAR process where redacted 
documents can be incredibly misleading. 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-—Slightly | Moderately 4-Very 5-Extremely 
useful useful useful useful useful 


© O 


Q6 Why have you given this score? 


More industries need to be covered and distinction made between size of company 
and types of systems/processes. It is not sustainable in a large consumer facing 
organisation with multiple customer touch points to mandate that a DSAR can be 
verbal, come in via social media, need not be called a DSAR (just asking for 
information) etc. Guidance should refer to controls, processes rather than de facto 
interpretation that may not work across different industries etc. Best practice 
proposals given on how to conduct a methodological DSAR to get some consistency - 
at the moment there is a great difference in interpretation on many aspects 
including what a data controller should produce. Should be tied into other parts of 
the legislation such as ROPAs etc and how they can be used to conduct a search. 
Examples of Employee DSARs and what should they expect to receive- there is a mis 
-understanding generally propagated by "ambulance chasing" third parties. Clearer 
distinction should also be made between what is "guidance" and what is "legislation" 
- perhaps a statement at the beginning of the guidance that an organisation is 
recommended to seek professional assistance for its particular circumstances. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


example of principles to help conduct aDSAR: 1. A clearly defined Records of 
Processing 2. An inventory of data assets, mapped to data processes etc. 3. An 
effective and active control process that keeps both up-to-date 4. Set up a clear 
methodology for conducting DSARs within the parameters above. This should be a 
minimum for effective DSAR management Then in my humble, searching within 


those data assets should be deemed reasonable in the absence of further direction 
from the data subject. 


Are you answering as: 

C) An individual acting in a private capacity (eg someone providing their views as a member of the public) 
(`) An individual acting in a professional capacity 

© On behalf of an organisation 

€ ) Other 

Please specify the name of your organisation: 

M&G plc 
What sector are you from: 


Insurance and Investment Management 


Q10 How did you find out about this survey? 
(C) ICO Twitter account 
C) ICO Facebook account 
©) ICO Linkedln account 
C `) ICO website 
(_) ICO newsletter 
(_) ICO staff member 
(_) Colleague 
(_) Personal/work Twitter account 
(`) Personal/work Facebook account 
(C) Personal/work LinkedIn account 
“` Other 
If other please specify: 


